Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
5
Helpful
1
Replies

On ASA5525 with vanilla setup, need to place ACL on outside int?

Go to solution
MicJameson1
VIP Alumni
VIP Alumni

‎01-26-2023 11:39 AM

Hi.

On an ASA5525 within a vanilla configuration, because of default "0, 50, 100" security levels, and also because default is "sysopt connection permit-vpn",

Is there a general need to place any ACL on the outside interface?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-26-2023 11:42 AM - edited ‎01-26-2023 11:42 AM

@MicJameson1 No. The outside interface would as default have a security level of 0, the inside interface with a security level of 100, traffic from lower security level (0) to higher (100) would, by default be denied. You only need an ACL inbound on the outside interface if you wish to selectively permit traffic.

"sysopt connection permit-vpn" is applicable to ignoring the interface ACL for encrypted traffic (L2L or RAVPN).

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎01-26-2023 11:42 AM - edited ‎01-26-2023 11:42 AM

@MicJameson1 No. The outside interface would as default have a security level of 0, the inside interface with a security level of 100, traffic from lower security level (0) to higher (100) would, by default be denied. You only need an ACL inbound on the outside interface if you wish to selectively permit traffic.

"sysopt connection permit-vpn" is applicable to ignoring the interface ACL for encrypted traffic (L2L or RAVPN).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card